[nylug-talk] Intrusion Detection
H. G.
tekronis at gmail.com
Mon Mar 31 15:27:53 EDT 2008
On Sun, Mar 30, 2008 at 5:47 PM, Lee Revell <rlrevell at joe-job.com> wrote:
> On Fri, Mar 28, 2008 at 12:30 PM, Chris Knadle <Chris.Knadle at coredump.us>
> wrote:
> > On Thursday 27 March 2008, H. G. wrote:
> > > As I recall, the most low impact way monitor the filesystem was
> > > with fam or something, since fam alerts you when files change,
> > > as opposed to you manually sweeping the filesystem looking
> > > for changes (causing lots of disk activity and performance
> > > problems in the process). OSSEC doesn't use the former
> > > strategy, unfortunately. :-(
> >
> > I've been playing around with Osiris some. One of the complaints
> that's
> > typical of AIDE, Tripwire, etc, is that the checksums for files are
> stored
> > locally (with an offline copy to verify). Osiris stores and check
> checksums
> > using an encrypted connection with a remote server (unless of course
> the
> > daemon and client are on the same box). It's worth a look.
> >
>
> We use Samhain at my workplace. It's quite good, can store checksums
> on a remote server, and does not noticeably impact performance when
> sweeping the filesystem.
>
> http://www.la-samhna.de/samhain/
>
> The free web interface is not great, but there's a better one you can
> buy (source included IIRC) for about 100 euros.
>
> Lee
>
Thanks, Lee. Samhain looks pretty good, definitely planning on giving it a
once-over.
More information about the nylug-talk
mailing list